Nixpkgs security tracker

Permalink CVE-2026-4092

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored package clasp-common-lisp 3 months, 1 week ago
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

References

https://github.com/google/clasp/pull/1109

Affected products

Clasp

==< 3.2.0

Matching in nixpkgs

pkgs.google-clasp

Develop Apps Script Projects locally

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0

Ignored packages (1)

pkgs.clasp-common-lisp

Common Lisp implementation based on LLVM with C++ integration

nixos-unstable 2.7.0
- nixpkgs-unstable 2.7.0
- nixos-unstable-small 2.7.0

Package maintainers

@natsukium Tomoya Otabi <nixpkgs@natsukium.com>

Upstream patch: https://github.com/google/clasp/commit/ba6bd666fe74de54950122b5d92ecf1dcc02a9d3